子账号通过Domain API访问主账号资源时需要遵循鉴权规则。本文为您介绍Domain API鉴权的规则。

当子账号通过Domain API访问主账号的Domain资源时,Domain后台会向RAM进行权限检查,以确保资源拥有者已向调用者授予了相关资源的相关权限。

根据涉及到的资源及API的语义,每个Domain API会相应地确定需要检查哪些资源的权限。下表具体介绍了各API的鉴权规则。
说明 $accountid表示账号ID,您可以登录您的阿里云账号查看账号ID。
表 1. 资源级别授权
API 鉴权Action 鉴权Resource
SaveSingleTaskForUpdatingContactInfo domain:DomainInfoModification acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForUpdatingContactInfo acs:domain:*:$accountid:domain/$domainName
TransferInReenterTransferAuthorizationCode domain:DomainTransferInOperation acs:domain:*:$accountid:domain/$domainName
TransferInRefetchWhoisEmail acs:domain:*:$accountid:domain/$domainName
TransferInResendMailToken acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferIn acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCancelingTransferOut domain:DomainTransferOutOperation acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForQueryingTransferAuthorizationCode acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForModifyingDnsHost domain:DnsHostModification acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForCreatingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForSynchronizingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForDeletingDnsHost acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForModifyingDomainDns domain:DnsModification acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForTransferProhibitionLock domain:SecuritySetting acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForTransferProhibitionLock acs:domain:*:$accountid:domain/$domainName
SaveSingleTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName
SaveBatchTaskForUpdateProhibitionLock acs:domain:*:$accountid:domain/$domainName
表 2. 操作级别授权
API 鉴权Action 鉴权Resource
QueryDomainList domain:QueryCommonInfo acs:domain:*:$accountid:*
QueryDomainByInstanceId acs:domain:*:$accountid:*
QueryContactInfo acs:domain:*:$accountid:*
VerifyContactField acs:domain:*:$accountid:*
QueryTaskList domain:QueryDomainTask acs:domain:*:$accountid:*
QueryTaskInfoHistory acs:domain:*:$accountid:*
QueryTaskDetailList acs:domain:*:$accountid:*
QueryTaskDetailHistory acs:domain:*:$accountid:*
PollTaskResult acs:domain:*:$accountid:*
QueryChangeLogList domain:QueryChangeLog acs:domain:*:$accountid:*
QueryTransferInByInstanceId domain:QueryDomainTransferIn acs:domain:*:$accountid:*
QueryTransferInList acs:domain:*:$accountid:*
CheckTransferInFeasibility acs:domain:*:$accountid:*
TransferInCheckMailToken domain:TransferInCheckMailToken acs:domain:*:$accountid:*
QueryTransferOutInfo domain:QueryDomainTransferOut acs:domain:*:$accountid:*
QueryDnsHost domain:QueryDnsHost acs:domain:*:$accountid:*
QueryRegistrantProfiles domain:QueryRegistrantProfile acs:domain:*:$accountid:*
ListEmailVerification domain:QueryEmailVerification acs:domain:*:$accountid:*
AcknowledgeTaskResult domain:AcknowledgeTaskResult acs:domain:*:$accountid:*
SaveRegistrantProfile domain:RegistrantProfileOperation acs:domain:*:$accountid:*
DeleteRegistrantProfile acs:domain:*:$accountid:*
DeleteEmailVerification domain:EmailVerificationOperation acs:domain:*:$accountid:*
VerifyEmail acs:domain:*:$accountid:*
ResendEmailVerification acs:domain:*:$accountid:*
SubmitEmailVerification acs:domain:*:$accountid:*
表 3. 服务级别授权
API 鉴权Action 鉴权Resource
* domain:* acs:domain:*:$accountid:*